From 84631f4d39aba8dfcf6f884fb9ea28a43e98c4ef Mon Sep 17 00:00:00 2001
From: John Ericson <John.Ericson@Obsidian.Systems>
Date: Fri, 25 Aug 2017 01:14:43 -0400
Subject: [PATCH 1/2] cc-wrapper: Remove redundant hardening

GCC just passes `-z ...` flags to ld unaltered, and they are already
passed to LD anyways. On the other hand, `-pie` affects gcc behavior
too.
---
 pkgs/build-support/cc-wrapper/add-hardening.sh | 1 +
 pkgs/build-support/cc-wrapper/cc-wrapper.sh    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index aa8eb720486cf2..af98ea03e52934 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -43,6 +43,7 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
           hardeningCFlags+=('-fPIE')
           if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
             if [[ -n "${NIX_DEBUG:-}" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
+            hardeningCFlags+=('-pie')
             hardeningLDFlags+=('-pie')
           fi
           ;;
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 1c654ea4756787..6099535600c73d 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -138,7 +138,7 @@ if [ "$dontLink" != 1 ]; then
 
     # Add the flags that should only be passed to the compiler when
     # linking.
-    extraAfter+=($NIX_@infixSalt@_CFLAGS_LINK "${hardeningLDFlags[@]}")
+    extraAfter+=($NIX_@infixSalt@_CFLAGS_LINK)
 
     # Add the flags that should be passed to the linker (and prevent
     # `ld-wrapper' from adding NIX_@infixSalt@_LDFLAGS again).

From 345885f89f811281b23093e85a3e3ea5fec31b9e Mon Sep 17 00:00:00 2001
From: John Ericson <John.Ericson@Obsidian.Systems>
Date: Mon, 28 Aug 2017 14:56:08 -0400
Subject: [PATCH 2/2] mkDerivation, cc-wrapper: Check hardening flag validity
 in Nix

This becomes necessary if more wrappers besides cc-wrapper start
supporting hardening flags. Also good to make the warning into an
error.

Also ensure interface is being used right: Not as a string, not just in
bash.
---
 pkgs/build-support/cc-wrapper/add-hardening.sh      |  3 ++-
 pkgs/os-specific/linux/devmem2/default.nix          |  3 ++-
 .../os-specific/linux/firmware/fwupdate/default.nix |  2 +-
 pkgs/stdenv/generic/make-derivation.nix             | 13 +++++++++++++
 pkgs/tools/networking/envoy/default.nix             |  2 +-
 5 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index af98ea03e52934..34358e04194a5b 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -68,7 +68,8 @@ if [[ -z "${hardeningDisableMap[all]:-}" ]]; then
           hardeningLDFlags+=('-z' 'now')
           ;;
         *)
-          echo "Hardening flag unknown: $flag" >&2
+          # Ignore unsupported. Checked in Nix that at least *some*
+          # tool supports each flag.
           ;;
       esac
     fi
diff --git a/pkgs/os-specific/linux/devmem2/default.nix b/pkgs/os-specific/linux/devmem2/default.nix
index 4cee9678a9b60b..969197c2dc9d1d 100644
--- a/pkgs/os-specific/linux/devmem2/default.nix
+++ b/pkgs/os-specific/linux/devmem2/default.nix
@@ -8,8 +8,9 @@ stdenv.mkDerivation rec {
     sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
   };
 
+  hardeningDisable = [ "format" ];  # fix compile error
+
   buildCommand = ''
-    export hardeningDisable=format  # fix compile error
     cc "$src" -o devmem2
     install -D devmem2 "$out/bin/devmem2"
   '';
diff --git a/pkgs/os-specific/linux/firmware/fwupdate/default.nix b/pkgs/os-specific/linux/firmware/fwupdate/default.nix
index 3fc7af916368c1..b1cbed1090878c 100644
--- a/pkgs/os-specific/linux/firmware/fwupdate/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupdate/default.nix
@@ -17,7 +17,7 @@ let version = "8"; in
       buildInputs = [ gnu-efi libsmbios popt pkgconfig gettext ];
       propagatedBuildInputs = [ efivar ];
       # TODO: Just apply the disable to the efi subdir
-      hardeningDisable = "all";
+      hardeningDisable = [ "all" ];
       patchPhase = ''
         sed -i 's|/usr/include/smbios_c/token.h|smbios_c/token.h|' \
           linux/libfwup.c
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index 2fbaa76c6a4329..b9d8b2d31175c7 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -41,7 +41,20 @@ rec {
     , __propagatedImpureHostDeps ? []
     , sandboxProfile ? ""
     , propagatedSandboxProfile ? ""
+
+    , hardeningEnable ? []
+    , hardeningDisable ? []
     , ... } @ attrs:
+
+    # TODO(@Ericson2314): Make this more modular, and not O(n^2).
+    let allHardeningFlags = [
+      "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro"
+      "bindnow"
+    ];
+    in assert lib.all
+      (flag: lib.elem flag allHardeningFlags)
+      (hardeningEnable ++ hardeningDisable);
+
     let
       dependencies = map lib.chooseDevOutputs [
         (map (drv: drv.nativeDrv or drv) nativeBuildInputs
diff --git a/pkgs/tools/networking/envoy/default.nix b/pkgs/tools/networking/envoy/default.nix
index 79a24ea1f8dd0b..f5362d173e7d45 100644
--- a/pkgs/tools/networking/envoy/default.nix
+++ b/pkgs/tools/networking/envoy/default.nix
@@ -233,7 +233,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./nixos.patch ];
 
-  hardeningDisable = "all";
+  hardeningDisable = [ "all" ];
   dontPatchELF = true;
   dontStrip = true;